rndc/controls block clarification needed?

Jon A. continualuse2u at gmail.com
Thu May 31 16:24:38 UTC 2012

Just spent a bit of time on missing a subtle rndc issue with Bind 9.9.1's
control block -- either I'm missing a better way to do this, or perhaps
bind should more appropriately issue a warning or fail to load instead of
silently accepted my bad control block.

I did RTFM, and until I'd spent a bunch of time playing with permutations,
I missed the subtle hints in the documentation.  Perhaps I still am, in
which case, I welcome a cleaner way to do this.

Ultimately I believe the issues to be that 1) you can't use the same
control port (993) for more than one inet statement and 2) using more than
one key isn't going to work.

I initially wanted the following, but had issues with getting rndc status
to work from both places:
controls {
       inet * port 953 allow { localhost;  authorized-controllers; } keys {
rndc-key;  masterkey;  };

Also tried:
controls {
       inet allow { localhost; } keys { rndc-key; };
       inet * port 953 allow { authorized-controllers; } keys { masterkey;

Ultimately it had to be set up as:

controls {
       inet port 953 allow { localhost; } keys { rndc-key; };
       inet * port 9953 allow { authorized-controllers; } keys { masterkey;

Is there a cleaner way (that works!) to set this up?  If not, could it be
made to work, or documentation/warnings be created to pound such ideas out
of my head in the future?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120531/f16fe722/attachment.html>

More information about the bind-users mailing list